CVE-2018-5560 - OpenCVE

A reliance on a static, hard-coded credential in the design of the cloud-based storage system of Practecol's Guardzilla All-In-One Video Security System allows an attacker to view the private data of all users of the Guardzilla device.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Guardzilla	Gz521w Gz521w Firmware

Configuration 1 [-]

AND

cpe:2.3:o:guardzilla:gz521w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:guardzilla:gz521w:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/
https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/

History

No history.

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2019-01-31T21:00:00Z

Updated: 2024-09-16T21:04:09.840Z

Reserved: 2018-01-12T00:00:00

Link: CVE-2018-5560

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-01-31T21:29:00.270

Modified: 2019-10-09T23:41:29.377

Link: CVE-2018-5560

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Guardzilla All-In-One Video Security System", "vendor": "Practecol, LLC", "versions": [{"status": "affected", "version": "2018"}]}], "credits": [{"lang": "en", "value": "Discovered by Nick McClendon, Andrew Mirghassemi, Charles Dardaman, INIT_6, and Chris."}], "datePublic": "2018-12-27T00:00:00", "descriptions": [{"lang": "en", "value": "A reliance on a static, hard-coded credential in the design of the cloud-based storage system of Practecol's Guardzilla All-In-One Video Security System allows an attacker to view the private data of all users of the Guardzilla device."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798", "lang": "en", "type": "CWE"}, {"description": "Use of Hard-coded Credentials", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-31T20:57:01", "orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/"}], "solutions": [{"lang": "en", "value": "There is no vendor-provided fix available, see work_around."}], "source": {"advisory": "R7-2018-52", "discovery": "EXTERNAL"}, "title": "Guardzilla All-In-One Video Security System Hard-Coded Credential", "workarounds": [{"lang": "en", "value": "Users concerned with video privacy should disable the cloud storage functionality provided by the vendor."}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@rapid7.com", "DATE_PUBLIC": "2018-12-27T14:05:00.000Z", "ID": "CVE-2018-5560", "STATE": "PUBLIC", "TITLE": "Guardzilla All-In-One Video Security System Hard-Coded Credential"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Guardzilla All-In-One Video Security System", "version": {"version_data": [{"version_name": "2018", "version_value": "2018"}]}}]}, "vendor_name": "Practecol, LLC"}]}}, "credit": [{"lang": "eng", "value": "Discovered by Nick McClendon, Andrew Mirghassemi, Charles Dardaman, INIT_6, and Chris."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A reliance on a static, hard-coded credential in the design of the cloud-based storage system of Practecol's Guardzilla All-In-One Video Security System allows an attacker to view the private data of all users of the Guardzilla device."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-798"}, {"lang": "eng", "value": "Use of Hard-coded Credentials"}]}]}, "references": {"reference_data": [{"name": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/", "refsource": "MISC", "url": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/"}, {"name": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/", "refsource": "MISC", "url": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/"}]}, "solution": [{"lang": "en", "value": "There is no vendor-provided fix available, see work_around."}], "source": {"advisory": "R7-2018-52", "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Users concerned with video privacy should disable the cloud storage functionality provided by the vendor."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T05:40:50.671Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/"}]}]}, "cveMetadata": {"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "cveId": "CVE-2018-5560", "datePublished": "2019-01-31T21:00:00Z", "dateReserved": "2018-01-12T00:00:00", "dateUpdated": "2024-09-16T21:04:09.840Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:guardzilla:gz521w_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D9B0D0E-985D-4D0C-9889-6184E6BF391D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:guardzilla:gz521w:-:*:*:*:*:*:*:*", "matchCriteriaId": "2763BE91-5523-44AB-9FB2-A59F2C3AE186", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A reliance on a static, hard-coded credential in the design of the cloud-based storage system of Practecol's Guardzilla All-In-One Video Security System allows an attacker to view the private data of all users of the Guardzilla device."}, {"lang": "es", "value": "La dependencia de una credencial est\u00e1tica embebida en el dise\u00f1o del sistema de almacenamiento basado en la nube en Guardzilla All-In-One Video Security System, de Practecol, permite que un atacante vea los datos privados de todos los usuarios del dispositivo Guardzilla."}], "id": "CVE-2018-5560", "lastModified": "2019-10-09T23:41:29.377", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "cve@rapid7.com", "type": "Secondary"}]}, "published": "2019-01-31T21:29:00.270", "references": [{"source": "cve@rapid7.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/"}, {"source": "cve@rapid7.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "cve@rapid7.com", "type": "Secondary"}]}